Security firms and journalists continue their discussions of Regin, amid much disagreement. Some doubt its connection to Belgian network intrusions, others see NSA's hand, but more eyes are directed toward GCHQ. Techworld in particular notes Regin's absence of a kernel-level bypass for PatchGuard (which it thinks points to GCHQ) and an apparent schedule that coincides with typical UK office hours. US-CERT has published a fairly extensive overview of the spyware (which "has not," US-CERT notes blandly, "been identified targeting any organizations within the United States").
Many journalists wonder why security companies like Symantec and F-Secure took so long to announce their discoveries of the campaign, especially since signs of it have been appearing for several years. Disclosure of Regin also coincides with German irritation over what the Süddeutsche Zeitung reports as GCHQ's suborning of Vodaphone subsidiary Cable and Wireless to enable cable tapping. It also coincides with UN deliberation of a resolution on Internet surveillance: Germany and Brazil push restrictions; the Five Eyes push back by reminding the General Assembly that fighting ISIS significantly depends on such surveillance.
Sony's breach investigation continues. Some of the apparent hackers make the (unconfirmed) claim they had physical access to Sony facilities, and that this facilitated their attack.
Retailers and shoppers skittish over holiday trade receive many warnings and much advice.
Abode issues an out-of-band patch for Flash Player.
Home Depot says it's spent $43M on its recent data breach and expects to incur ongoing costs. It's also facing "at least 44 civil lawsuits."